Apache security "leak" noted with .DS_Store files
Apache security "leak" noted with .DS_Store files
"Mac OS X users should be aware of a potential problem as the Finder creates files .DS_Store in viewed directories. Unless Apache is configured to deny access to these files a remote user can request them and be given a list of files in the directory."
Note: The .DS_Store file stores the names and icon locations of files in each folder.
Update: Christopher adds: "Use the following lines in the Apache Configuration file (httpd.conf) to disallow reading of the files." Test the capability before and after to ensure the leak is fixed.
<Files ~ "^\.DS_Store">
Order allow,deny
Deny from all
</Files>
Update:Another reader reports: "The fix does not entirely remedy the problem if you are running Apache on an HFS Plus volume. In that case, you can still access the .DS_Store file just by entering the name in a different case, e.g. .ds_store. This has to do with the case-sensitive issue reported previously (see securityfocus and MacFixIt coverage). To overcome both security problems, you should add both upper and lower case letters in the Files rule:
<Files ~ "^\.[Dd][Ss]_[Ss]">
Order allow,deny
Deny from all
</Files>
This will block any files beginning with ".DS_S" (no matter if you use upper or lower case letters) from being viewed.